information technology governance & collaboration framework

Information Technology Governance & Collaboration

Framework

Enabling effective decision-making and collaboration at Memorial

Office of the Chief Information Officer

Version 1.1 November 26, 2019

Revision History

1.0 September 26, 2017 Approved by Vice Presidents’ Council 1.1 November 26, 2019 Updated after continuous improvement review

of 18

Table of Contents

1. Overview ............................................................................................................................. 3

2. Principles for IT Governance and Collaboration at Memorial ............................................... 4

3. Framework Structure .......................................................................................................... 5

3.1 IT Governance and Collaboration Council .................................................................... 6

3.2 Academic and Student Life IT Committee .................................................................... 7

3.3 Research IT Committee ..............................................................................................10

3.4 Administrative Services IT Committee.........................................................................12

3.5 Core and Security IT Committee .................................................................................14

4. IT Investment Decision-Making ..........................................................................................16

4.1. IT Investment Categorization ......................................................................................16

4.2. IT Investment Review .................................................................................................17

Appendices ...............................................................................................................................18

Appendix A: Standard IT Investment Review .........................................................................18

of 18

1. Overview An effective governance and collaboration framework ensures the right people are talking to each other with the right information to make the best decisions possible. Memorial’s IT Governance and Collaboration Framework defines organizational structures and processes enabling academic, administrative and IT leaders to make informed decisions based on institutional objectives. This framework was developed by the IT Governance Working Group, a committee of Vice Presidents Council. Appendix A lists the working group members and Appendix B outlines the framework development process.

The goals of the framework include improved alignment of IT strategy and investment to Memorial’s academic mission and priorities, and improved IT decision-making across the university.

With Memorial’s IT Governance and Collaboration Framework:

• Decision-making will be transparent and aligned to overall university priorities, while considering individual unit and campus requirements, and respecting Memorial’s multi-campus model.

• Representation from appropriate stakeholders will be incorporated to inform decision-making. • Appropriate assessments of investment decisions and technology solutions will be conducted. • Coherent planning and decision-making will occur. • Resource allocation will be better understood and more efficient. • Less-resourced areas will have improved access to IT support and tools. • Risk associated with technology solutions will be reduced, improving the ability to comply with

legislation and protect information.

This framework is a step towards improving IT decision-making and planning through collaboration. It will be reviewed regularly and updated as required. The framework aims to facilitate coordinated planning to increase success and to ensure the optimal use of limited resources.

of 18

2. Principles for IT Governance and Collaboration at Memorial

The IT Governance and Collaboration Framework at Memorial is based in Memorial’s Core Values of integrity, excellence, responsiveness, accountability and collegiality.

Effectiveness

IT governance and collaboration enables the most effective use of IT resources. Decisions are made by balancing short term and individual requirements with those that are longer-term or that may affect the entire institution. The needs of learners, educators, researchers, administrators and other members of the community are key considerations in IT decisions.

Partnership

Effective IT governance and collaboration depends on strong partnerships. The strengths of a federated IT service delivery model and a multi-campus structure will be leveraged to create synergies, consider the impacts of decisions on individual units and the university as a whole, reduce duplication of effort and solutions, and share best practice.

Stewardship

IT investments and priorities are determined within the governance and collaboration framework, in which coherent decisions lead to sustainable solutions. IT investment is considered using common criteria and is prioritized according to common principles.

http://www.mun.ca/president/home/vision.php

http://www.mun.ca/president/home/vision.php

of 18

3. Framework Structure The IT governance and collaboration framework structure is designed to enable the discussion of initiatives, challenges and priorities within a functional context. There are four committees representing the areas of academic and student life, research, administrative services, and IT infrastructure. The IT Governance and Collaboration Council, a committee of Vice-Presidents Council is chaired by the CIO and comprised of the chairs of the four committees and other key stakeholders. It is the body accountable for recommending IT policies, strategies and overall IT governance.

In addition to the committees within the formal framework, other committees and councils exist which will provide input, propose initiatives and have an impact on IT governance and collaboration at Memorial. These include, for example: Deans Council, the Senate Committee on Teaching and Learning, the Senate Committee on Research, and the Joint Managers Group, among others.

of 18

3.1 IT Governance and Collaboration Council Authority

The IT Governance and Collaboration Council is established under the authority of Vice-Presidents Council (VPC) as a subcommittee of VPC. It is the senior body accountable for recommending university IT policies, strategies and overall governance. Its purpose is to oversee and make improvements to the university’s IT Governance and Collaboration Framework and to provide advice and make recommendations to the CIO or Vice Presidents Council with respect to IT at Memorial.

Mandate

The Council is responsible to:

• Ensure decisions are aligned strategically with institutional priorities • Provide stewardship for those components of the university’s IT investment portfolio which

are within the parameters of the IT Governance and Collaboration Framework • Receive and address key issues, decisions, and recommendations from the IT governance

and collaboration committees, and other relevant committees and councils • Refer issues, questions and plans to IT governance and collaboration committees for further

study, review and/or recommendation • Finalize investment decisions and make recommendations to the CIO • Determine the overall priorities by combining the prioritized investment portfolios from each of

the IT governance and collaboration committees, as required • Ensure that the framework is regularly reviewed and improved, as required • Provide regular updates to Dean’s Council on IT investments, policies, and plans

Membership

Chair The Chair shall be the Chief Information Officer and Director of IT Services of Memorial University.

Council • Chairs of each of the IT governance and collaboration committees • Associate Vice-President (Finance and Administration), Grenfell Campus • Associate Vice-President (Finance and Administration), Marine Institute • Associate Vice-President (Research) • Representation selected by Deans’ Council* • Chief Operating Officer, Faculty of Medicine • Associate Vice-President, Teaching and Learning, and Director, CITL • Director, Information Management and Protection • University Librarian • Director of Student Life • Director of Research Grant and Contract Services • University Registrar • Associate Vice-President (Academic) • University Access and Privacy Officer, Office of the CIO • Director of Operations, Office of the Vice-President Finance and Administration • Manager of Strategy, Planning and Liaison, Office of the CIO (non-voting)

of 18

* Representatives are selected by Deans’ Council after consultation about objectives and requirements. Representatives on the ITGC Council will serve a two-year term and provide regular updates to Deans’ Council.

There will be no delegates permitted to attend Council meetings.

Alternative representation can be sought by the Chair if a member misses three consecutive meetings without sending regrets.

Input

The committee will seek expertise and receive recommendations from the following, including but not exclusive to:

• Executive • Senate • Senior Academic and Administrative Group (SAAG) • Leadership Group (Grenfell Campus) • Executive Forum (Marine Institute) • Senior Management Committee, Faculty of Medicine

Support

The Manager of Strategy, Planning and Liaison, Office of the CIO provides administrative and logistical support by serving as the Secretary to the Council and custodian of the Council’s records.

Operations

Agenda Setting

Agendas shall be developed by the Secretary, in collaboration with the Chair. Agenda items shall be solicited in advance of the meeting from Council members. Agendas shall be circulated to Council members at least 5 working days prior to Council meetings. A standing agenda item will include a review of the overall IT investment portfolio, including any new proposals added to it.

Frequency of Meetings

The Council meets every two months, or upon the call of the Chair.

Decision Making

Formal decisions are determined by consensus. For critical decisions on which consensus cannot be reached, decisions will be made by a majority vote. A majority of the committee is required for a quorum.

Reporting

The Council will report to VPC annually, or at the request of VPC.

3.2 Academic and Student Life IT Committee Authority

of 18

The Academic and Student Life IT Committee is a subcommittee of the IT Governance and Collaboration Council. Its purpose is to recommend and prioritize academic and student IT investments (new and enhancements) that align with the operational and strategic needs of the university.

Mandate

The Academic and Student Life IT Committee discusses priorities and requirements for systems used in teaching and learning such as (but not limited to) computer labs, educational technology, and student administration and support systems. Responsibilities include:

• Develop and maintain an inventory of IT products and services used for academic and student life

• Evaluate and determine the priority of IT investment proposals within the Academic and Student Life IT Investment Portfolio

• Propose IT policies, standards, guidelines, and procedures related to academic and student support

• Foster communication and share expertise on IT issues and practices

Membership

Chair

The Chair shall be selected by the committee and serve a two-year term with the potential to be renewed.

Committee

• Up to three representatives selected by Deans’ Council* • One representative from each:

o Office of the Registrar o Student Life o Student Residences o Centre for Innovation in Teaching and Learning o Faculty of Medicine o Grenfell Campus o Marine Institute o Memorial Libraries o Ancillary Operations o IT Student Services Advisory Committee o MUN Student Union o Graduate Student Union

* Representatives are selected by Deans’ Council after consultation about objectives and requirements.

If members are sending a delegate, it is important to ensure consistency in terms of the individual selected to attend as a delegate and the use of delegates should be kept to a minimum to ensure continuity. Permission should be sought from the Chair in advance of sending delegates to a meeting.

of 18


Term

The IT Governance and Collaboration Council, in consultation with units from which members are appointed, will appoint Committee members for an initial two-year term, with the potential to be renewed. Members may also be re-appointed, replaced or staggered by the IT Governance and Collaboration Council to ensure continuity.

Input


• Senate Committee on Teaching and Learning • The Commons Management Committee • Units/unit heads • University Access and Privacy Officer

Support

An Office of the CIO staff member provides administrative support to the Committee by serving as the Secretary and custodian of the Committee’s records.

Meetings

Agenda Setting

Agendas shall be developed by the Secretary, in collaboration with the Chair. Members of the Committee may propose agenda items to be discussed in Committee meetings. Agenda items may also be suggested by anyone in the university community (e.g. non-committee members) by directly contacting the Chair or the Office of the CIO. Agendas shall be circulated to Committee members at least 5 working days prior to Committee meetings. A standing agenda item will include a review of new investment proposals received since the previous meeting.


The Committee shall meet bi-monthly or upon the call of the Chair.

Decision Making

Formal decisions are determined by consensus. For critical decisions on which consensus cannot be reached, decisions will be made by a majority vote. A majority of the committee is required for a quorum.

Reporting

The Committee will report to the IT Governance and Collaboration Council at Council meetings, or at the request of the Council.

of 18

3.3 Research IT Committee Authority

The Research IT Committee is a subcommittee of the IT Governance and Collaboration Council. Its purpose is to recommend and prioritize research IT investments (new and enhancements) that align with the operational and strategic needs of the institution.

Mandate

The Research IT Committee focuses on the varied needs of researchers at Memorial including, but not limited to research data centres, high performance computing services, support systems, tools, and data storage and backup. Responsibilities include:

• Develop and maintain an inventory of IT products and services used for research • Evaluate and determine the feasibility of IT investment proposals within the Research IT

Investment Portfolio and identify opportunities for collaboration • Propose IT policies, standards, guidelines, and procedures related to research • Foster communication and share expertise on IT issues and practices

Membership

Chair

The Chair shall be selected by the committee and serve a two-year term with the potential to be renewed.

Committee

• Up to three representatives selected by Deans’ Council* • Up to two representatives selected by Senate Committee on Research • One representative from each:

o Research Grant and Contract Services o CREAIT, CRC and CFI Services o Memorial Libraries o Marine Institute o Grenfell Campus o Faculty of Medicine o Office of the CIO o ACENET o IT Student Services Advisory Committee o Graduate Student Union

* Representatives are selected by Deans’ Council after consultation about objectives and requirements.


of 18


Term


Input


• Senate Committee on Research • Faculty Councils • CREAIT, CRC and CFI Services • Centre for Health Informatics and Analytics (CHIA) • Research units at Marine Institute • Units/unit heads • University Access and Privacy Officer

Support

An Office of the CIO staff member provides administrative support to the Committee by serving as Secretary and custodian of the Committee’s records.

Operations

Agenda Setting

Agendas shall be developed by the Secretary, in collaboration with the Chair. Members of the Committee may propose agenda items to be discussed in Committee meetings. Agenda items may also be suggested by anyone in the university community (i.e. non-committee members) by directly contacting the Chair or the Office of the CIO. Agendas shall be circulated to Committee members at least 5 working days prior to Committee meetings. A standing agenda item will include a review of new investment proposals received since the previous meeting.



Decision Making

Formal decisions will be determined by consensus. For critical decisions on which consensus cannot be reached, decisions will be made by a majority vote. A majority of the committee is required for a quorum.

Reporting


of 18

3.4 Administrative Services IT Committee Authority

The Administrative IT Committee is a subcommittee of the IT Governance and Collaboration Council. Its purpose is to recommend and prioritize administrative IT investments (new and enhancements) that align with the operational and strategic needs of the institution.

Mandate

The Administrative IT Committee prioritizes and identifies requirements for systems that support finance, budget, human resources, pensions, facilities management, development/advancement and ancillary operations. Responsibilities include:

• Develop and maintain an inventory of IT products and services used for administrative services

• Evaluate and determine the priority of IT investment proposals within the Administrative Services IT Investment Portfolio

• Propose IT policies, standards, guidelines, and procedures related to administrative services

• Foster communication and share expertise on IT issues and practices

Membership

Chair

The Chair shall be selected by the Committee and serve a two-year term with the potential to be renewed.

Committee

• One representative from each: o Office of the Vice-President

Finance and Administration o Office of the Vice-President

Academic and Provost o Office of the President o Human Resources o Finance and Administration o Facilities Management o Office of the Chief Risk Officer o Marine Institute o Grenfell Campus

o Faculty of Medicine o Alumni Affairs o Office of the CIO o Office of the Registrar o Marketing & Communications o Centre for Institutional Analysis o Budget Office o Office of Public Engagement o Department of Technical

Services


of 18


Term


Input


• IT Services • Joint Managers Group • Units/unit heads • University Access and Privacy Officer

Support


Operations

Agenda Setting

Agendas shall be developed by the Secretary, in collaboration with the Chair. Members of the Committee may propose agenda items to be discussed in Committee meetings. Agenda items may also be suggested by anyone in the university community (e.g. non-committee members) by directly contacting the Chair or the Office of the CIO. Agendas shall be circulated to Committee members at least 5 working days prior to Committee meetings. A standing agenda item will include a review of new investment proposals received since the previous meeting.



Decision Making


Reporting


of 18

3.5 Core and Security IT Committee Authority

The Core IT and Security Committee is a subcommittee of the IT Governance and Collaboration Council. Its purpose is to recommend and prioritize IT infrastructure investments (new and enhancements) that align with the operational and strategic needs of the institution.

Mandate

The Core IT and Security Committee is responsible for providing and/or coordinating technical reviews to ensure technology solutions align with Memorial’s information technology and information management policy and standards framework and practices.

The Core IT and Security Committee focuses on enterprise IT infrastructure which encompasses centrally coordinated, shared IT services that provide the foundation for the university's IT capability. These services include the networks (wired and wireless), firewalls, security, data centres, virtual and physical servers, storage, databases, enterprise directories, and applications used across the university such as DNS, DHCP, videoconferencing tools, authentication systems, and email. This Committee provides an opportunity for increasing efficiency, adopting best practices, complying with legislation, and reducing risk by defining IT integration and standardization requirements, and enabling shared services across the university.

Additional responsibilities include:

• Develop and maintain an inventory of core IT products and services • Evaluate and determine the priority of IT investment proposals within the core IT

Investment Portfolio • Propose IT policies, standards, guidelines, and procedures related to core IT and/or

information protection and security • Foster communication and share expertise on IT issues and practices • Provide and/or coordinate technical, operational and compliance reviews • Decision-making for IT architecture, practices, policies and operations • Plan for future infrastructure requirements

Membership

Chair

The Chair shall be the Director, Information Management and Protection, Office of the CIO.

Committee

• Director, Information Management and Protection • Director, IT Services, Grenfell Campus • Manager, Information and Communications Technology, Marine Institute • Director, HSIMS, Faculty of Medicine • Manager of IT, Memorial Libraries • Manager, Operations, CREAIT

of 18

• Assistant Director, Systems and Technologies, Centre for Innovation in Teaching and Learning

• Manager, Centre for Health Informatics and Analytics • Systems Manager, Department of Computer Science (Labnet)



Input


• CIOS IT Forum • Identity and Access Management Advisory Committee • University Access and Privacy Officer • Units/unit heads

Support


Operations

Agenda Setting

Agendas shall be developed by the Secretary, in collaboration with the Chair. Members of the Committee may propose agenda items to be discussed in committee meetings. Agenda items may also be suggested by anyone in the university community (e.g. non-committee members) by directly contacting the Chair or the Office of the CIO. Agendas shall be circulated to Committee members at least 5 working days prior to Committee meetings. A standing agenda item will include a review of new investment proposals received since the previous meeting.


The Committee shall meet monthly or upon the call of the Chair.

Decision Making


Reporting

of 18


4. IT Investment Decision-Making All IT investment decisions should be made in accordance with the Principles for IT Governance at Memorial and the IT Investment Policy. Certain types of investment decisions should not be made unilaterally, and require the input of a broad set of appropriate stakeholders to ensure alignment with university priorities, appropriate risk management, and overall accountability.

4.1. IT Investment Categorization Category 1 IT investments are those that are not significant at a level which makes them meet any of the criteria for Category 2 IT investments. Category 1 investment decisions may be made at the unit level in accordance with purchasing and other applicable policies and practices.

Examples of Category 1 IT investments include desktop computers and peripheral devices, mobile devices (e.g. laptops, smartphones and tablets), websites or web applications that do not require authentication or databases, and lab-based software and hardware.

Category 2 IT investments require an IT investment proposal that is reviewed and approved within the IT Governance and Collaboration Framework through the investment review processes. IT solutions are also reviewed to ensure alignment with Memorial’s IT and information management policies, standards and practices.

Category 2 investments meet one or more of the following criteria:

• Requires integration with core university networks and/or infrastructure o This includes IT investments that require

Modifications to network configuration and design Changes in security practices, settings and/or rules The movement of large amounts (e.g. TBs) of data over the network Access to data centre services (servers, storage, databases, etc.)

• Requires data and/or system integration, and/or sharing of data between multiple campuses, units, communities and/or systems

o This includes IT investments that require Integration with enterprise authentication systems Data integration with systems of record (e.g. Banner, Campus Card) or

administrative systems The creation and management of accounts for access management Online payment functionality

• Requires a risk assessment by the Office of the CIO o This includes, but not limited to, IT investments that require

A cloud assessment by Information Management and Protection A vulnerability assessment by Information Management and Protection A privacy impact assessment by Information Access and Privacy

http://www.mun.ca/policy/site/policy.php?id=276

of 18

Examples of Category 2 IT investments include servers and data storage and backup; networking and telecommunications equipment, software and services; software to be installed on servers in the enterprise data centre and require data integration with systems of record or administrative systems; cloud-based services that require data integration with systems of record or administrative systems; products or services that has (or potentially has) broad use across the university; services and products that require firewall changes; new data centres or consolidation of existing data centres.

4.2. IT Investment Review Category 2 IT Investments require the completion of an investment proposal which is reviewed by one or more of the governance committees. Proposals may come from individuals, units, governance committees and/or other groups within Memorial. Proposed IT investments are reviewed and prioritized based upon the following criteria:

• How well proposal aligns with university priorities and needs • Addresses legislative compliance • Duplication of business solution • Funding availability (one-time versus ongoing) • Implementation effort • Benefits of business solution • Institutional risk

The IT Governance and Collaboration Council will receive updates on the prioritized investment portfolios from the four governance committees. The Council may be asked to determine the overall priority of proposed IT investments to inform IT resource allocation decisions.

Once an IT investment proposal is endorsed, the proponent works with the Office of the CIO to determine the technology solution, if it has not been identified. During this process, business requirements are reviewed, existing potential solutions are discussed, data requirements are identified, and the end-user experience (if relevant) is determined. Additionally, a technical, operational and compliance review takes place to ensure the technology solution aligns with Memorial’s IT and information management environment. During this process, relevant security, cloud and privacy assessments are completed; network requirements and integration requirements determined; licensing requirements and budget identified; and a plan for technology sustainability developed.

Appendix C contains a flowchart describing the review of Category 2 IT investments.

Appeals - Decisions of the IT Governance and Collaboration Council may be appealed to the CIO.

Exceptions - There will be situations where IT investments will need to take place and undergoing the standard IT investment review process will not be feasible. In the case of emergencies (e.g. a new function requires investment in technology quickly) and opportunities (e.g. funding becomes available from an external source with tight timelines and/or spending restrictions), a proponent must inform the appropriate Committee so that the exception can be documented. The Committee will then notify the IT Governance and Collaboration Council.

Appendices

Appendix A: Standard IT Investment Review

information technology governance & collaboration framework

Documents